eBay

I am using OAuth, and I believe the issue is with my refresh token. How can I go about renewing that?

Up until today I have been able to generate my user token and query the API. Now I cannot and do not see how to fix it. I have granted access, but still the same error above.

Thanks!

Have you made sure that your Marketplace account deletion is set? If you are accessing only your own account, then select the exemption option. If you don't complete the account deletion section, you won't get anywhere.

Next, go to your eBay account and revoke the third-party-access token so you can start fresh. You may find that it was already revoked when you changed your password.

https://accounts.ebay.com/acctsec/security-center 

Start again by generating a production OAuth token for your selling account. It will have a life of 2 hours.

Below are pages in the order that you may need them. The last link is the refresh token, which has an 18 month lifespan.  Notice the pink section at the bottom of the last page below, where changing a password can revoke the token.

https://developer.ebay.com/my/auth?env=production&index=0&auth_type=oauth

https://developer.ebay.com/api-docs/static/oauth-scopes.html

https://developer.ebay.com/api-docs/static/oauth-auth-code-grant-request.html

https://developer.ebay.com/api-docs/static/oauth-refresh-token-request.html

ShipScript has been an eBay Community volunteer since 2003, specializing in HTML, CSS, Scripts, Photos, Active Content, Technical Solutions, and online Seller Tools.

---

Thanks @shipscript for the help!

My market account deletion is exempt, as only my account is used. No others have to grant access. Under "Marketplace Account Deletion" I have exempt checked and "I do not persist eBay data". It's been like this the whole time (1+ years).

I then made sure, under my eBay account, that I revoked the access to this app. Another app is still listed, but mine is no longer there. My scopes are still set and are listed on the user tokens page (those haven't changed).

I then went to https://developer.ebay.com/api-docs/static/oauth-auth-code-grant-request.html and posted that in Postman, making sure to pass all of the credentials. It mentions to use the "code" value from the grant access, so I followed that process and used the code supplied in the URL. When I post I get 400 Bad Request w/ no explanation why.

curl --location 'https://api.ebay.com/identity/v1/oauth2/token' \
--header 'Cache-Control: no-cache' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic Sm9lbEZ...xMmM=' \
--header 'Cookie: dp1=bu1p/QEBfX0BAX19AQA**6608a38c^' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'redirect_uri=Jo...dlw' \
--data-urlencode 'code=v^1.1#...MjYw'

I am at a loss.

I was able to then generate a new OAuth token that still has some time left.  I can login to the developer site, so I'm not thinking my account was up and deleted.

My next I am gonna try in code and not Postman. Hopefully that fixes it!

GREATLY appreciate the feedback @shipscript 

any chance you can post the refresh token code? I'm trying to refresh the OAuth user access token I got from the developer site and I keep getting ERROR __main__ Error refreshing access token: {"error":"invalid_grant","error_description":"the provided authorization refresh token is invalid or was issued to another client"} when I run:

@vandelaybreaks  Here's my code (it's PHP).

$curl = curl_init();

$data = [
    'grant_type'    => "refresh_token",
    'refresh_token' => $config['refresh_token'],
    'scope'         => 'https://api.ebay.com/oauth/api_scope'
];

curl_setopt_array(
    $curl,
    [
        CURLOPT_URL => 'https://api.ebay.com/identity/v1/oauth2/token',
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_ENCODING => '',
        CURLOPT_MAXREDIRS => 10,
        CURLOPT_TIMEOUT => 0,
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
        CURLOPT_CUSTOMREQUEST => 'POST',
        CURLOPT_POSTFIELDS => http_build_query($data),
        CURLOPT_HTTPHEADER => [
            'Content-Type: application/x-www-form-urlencoded',
            'Authorization: Basic ' . base64_encode($config['app_id'] . ":" . $config['cert_id'])
        ]
    ]
);

$response = curl_exec($curl);

curl_close($curl);

$results = json_decode($response, true);

When I tried using Postman to do this, I always got errors. When I hand-coded this and ran on the CLI it worked, and has worked since.

https://developer.ebay.com/api-docs/static/oauth-refresh-token-request.html says:

"it is best to refresh each access token after it expires (and you receive an "Invalid access token" error), rather than trying to renew each token before it expires.

If your refresh token gets revoked (or if it expires), then you must redo the consent-request flow in order to get a new access token and refresh token for the associated user."

Is my understanding correct?

Do not renew the refresh token before it expires. Instead, ask user consent again when the refresh token expires (e.g. 18 months). 

I believe you are correct. There's the user consent token that you renew every 18 months. Then there's a refresh token that expires rather quickly. My code above was for the latter.